If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Netstat tutorial

To start, I didn't see any tutorials dealing with the use of netstat, which surprised me, considering how useful it was, so I decided to write one. Here it is:

In it's purest form a netstat is 100% useful, just drop to a command prompt (this tutorial is only covering Windows based netstats, so flags and such from the *nix versions will not be covered) and type 'netstat'. When running a simple netstat the coloums should be: Proto, Local Address, Foreign Address, and State.

The protocol coloum should hold the protocol that is used by the open socket (valid choices are IP, TCP, UDP, or ICMP), two sockets can use the same port assignment as long as long as they use a different protocol.

The Local Address coloum should contain the address of the local machine, either the machine name, loopback IP (127.0.0.1) or 0.0.0.0, which states that the socket will accept information from any interface on the machine. Also shown under this field is the outgoing port. This is the number (or name) that is after the colon. This number will normally (unless you are using some strange software) be 1025 or up. so basically an entry in this coloum should look like "0.0.0.0:1031".

The Foreign Address field is the address and port number the socket is "addressing" the information to. it will either be by hostname (if availible) or by IP address, and much like the Local address field it will have a colon then the destination port number. So an entry in this field will appear as "65.252.12.5:80". This basically means that there is a connection to 65.252.12.5 on port 80, if you look in the Proto section this will probably be a TCP connection (normally web browser traffic).

The State field is used to tell what the socket is currently doing, valid choices are CLOSED, FIN_WAIT_1, FIN_WAIT_2, SYN_RECEIVED, CLOSE_WAIT, SYN_SEND, ESTABLISHED, LISTEN, TIMED_WAIT, and LAST_ACK. ESTABLISHED basically means what it says, that the socket is sending and receiving and has an active connection going. SYN_SENT means that the socket is attempting to establish a connection, waiting on an ACK from the remote host. SYN_RECEIVED means that the connection has been initalized, AKA, one step past the SYN_SENT state. The FIN_WAIT_1 state means the socket is closed, and it has started shutting down the connection. FIN_WAIT_2 is the same as _1 only it is waiting for the socket to close and for a remote unit to send a shutdown packet. The CLOSED state means the socket is not in use. The CLOSE_WAIT state means that the remote end has already shutdown and is waiting to close. LAST_ACK means the socket is waiting for acknowledgement, the remote end has already shutdown and the socket is closed. LISTEN means the socket is listening for an incoming connection. UNKNOWN will sometimes populate the field, this is a very strange thing to have happen and basically means that the OS does not know what the socket is doing, and is basically lost.

Now, let's go a little farther, let's try some of the parameters used with netstat, for starters the -p switch, so type 'netstat -p <protocol name from above>'. Lets say you wanted to see all the TCP sockets you have open? Well...type 'netstat -p TCP' and it will list them. Valid choices are any that are listed above including ICMP, UDP, and IP. Just as a note, on some unix machines it is possible to add protocols by editing /etc/protocols naming the packet type, and then making a program to construct a packet of this type (this is slightly beyond the scope of this tutorial though, just a widdle!)...Now that we understand somewhat how to limit the output of netstat lets look at how to get useful stuff out of it.

Ever wondered how to tell if your NIC is sending/receiving traffic? Well.we have two choices avalible to us, we could use the -e switch to check for ethernet frames sent and received, or the -s switch to get the sent/received for the difference protocols. These switches can be combined making the switch -es or -se which will display the information that both the switches would give. There is also other very useful information that these switches provide but that is slightly beyond what this tutorial was intended to show.

The -r switch can be used to display the interface list and the routing table. This information is useful when troubleshooting a network or dialup connection that is not pingable and can not ping out. This shows how information is being routed out of the computer and how it is being looped around to the local host.

I hope this was slightly useful to someone, I got an email from someone asking for more information about mainly the states the sockets are in. If anyone has any questions or finds any misinformation in this, email me or PM me and I will fix it.

Netstat tutorial

To start, I didn't see any tutorials dealing with the use of netstat, which surprised me, considering how useful it was, so I decided to write one. Here it is:

In it's purest form a netstat is 100% useful, just drop to a command prompt (this tutorial is only covering Windows based netstats, so flags and such from the *nix versions will not be covered) and type 'netstat'. When running a simple netstat the coloums should be: Proto, Local Address, Foreign Address, and State.

The protocol coloum should hold the protocol that is used by the open socket (valid choices are IP, TCP, UDP, or ICMP), two sockets can use the same port assignment as long as long as they use a different protocol.

The Local Address coloum should contain the address of the local machine, either the machine name, loopback IP (127.0.0.1) or 0.0.0.0, which states that the socket will accept information from any interface on the machine. Also shown under this field is the outgoing port. This is the number (or name) that is after the colon. This number will normally (unless you are using some strange software) be 1025 or up. so basically an entry in this coloum should look like "0.0.0.0:1031".

The Foreign Address field is the address and port number the socket is "addressing" the information to. it will either be by hostname (if availible) or by IP address, and much like the Local address field it will have a colon then the destination port number. So an entry in this field will appear as "65.252.12.5:80". This basically means that there is a connection to 65.252.12.5 on port 80, if you look in the Proto section this will probably be a TCP connection (normally web browser traffic).

The State field is used to tell what the socket is currently doing, valid choices are CLOSED, FIN_WAIT_1, FIN_WAIT_2, SYN_RECEIVED, CLOSE_WAIT, SYN_SEND, ESTABLISHED, LISTEN, TIMED_WAIT, and LAST_ACK. ESTABLISHED basically means what it says, that the socket is sending and receiving and has an active connection going. SYN_SENT means that the socket is attempting to establish a connection, waiting on an ACK from the remote host. SYN_RECEIVED means that the connection has been initalized, AKA, one step past the SYN_SENT state. The FIN_WAIT_1 state means the socket is closed, and it has started shutting down the connection. FIN_WAIT_2 is the same as _1 only it is waiting for the socket to close and for a remote unit to send a shutdown packet. The CLOSED state means the socket is not in use. The CLOSE_WAIT state means that the remote end has already shutdown and is waiting to close. LAST_ACK means the socket is waiting for acknowledgement, the remote end has already shutdown and the socket is closed. LISTEN means the socket is listening for an incoming connection. UNKNOWN will sometimes populate the field, this is a very strange thing to have happen and basically means that the OS does not know what the socket is doing, and is basically lost.

Now, let's go a little farther, let's try some of the parameters used with netstat, for starters the -p switch, so type 'netstat -p <protocol name from above>'. Lets say you wanted to see all the TCP sockets you have open? Well...type 'netstat -p TCP' and it will list them. Valid choices are any that are listed above including ICMP, UDP, and IP. Just as a note, on some unix machines it is possible to add protocols by editing /etc/protocols naming the packet type, and then making a program to construct a packet of this type (this is slightly beyond the scope of this tutorial though, just a widdle!)...Now that we understand somewhat how to limit the output of netstat lets look at how to get useful stuff out of it.

Ever wondered how to tell if your NIC is sending/receiving traffic? Well.we have two choices avalible to us, we could use the -e switch to check for ethernet frames sent and received, or the -s switch to get the sent/received for the difference protocols. These switches can be combined making the switch -es or -se which will display the information that both the switches would give. There is also other very useful information that these switches provide but that is slightly beyond what this tutorial was intended to show.

The -r switch can be used to display the interface list and the routing table. This information is useful when troubleshooting a network or dialup connection that is not pingable and can not ping out. This shows how information is being routed out of the computer and how it is being looped around to the local host.

I hope this was slightly useful to someone, I got an email from someone asking for more information about mainly the states the sockets are in. If anyone has any questions or finds any misinformation in this, email me or PM me and I will fix it.

cool

that was cool and intresting i'm just starting to learn about netstat amnd netbios. I really glad that you were able to explain netsat easyly with out over staing the technical part of it. If you can tell me more or if you can send me some stuff like the one you posted that be cool. thanks

lol the reason why i never thought of creating a tut for netstat is because u can type "netstat" or "netstat /?" on the command line and u get what u need. but never the less.. i do think this tut is nice..

and about response to the newbies.. when someone asks us how to use netstat.. normally we reply to them by telling them to type "netstat" or "netstat /?" on the command line. we cant say "look at the tut" coz we know there isnt any tut for netstat (well not untill now) coz we thought it doesnt need any.. netstat to us was just simple basic common command. same as "dir" or "cd"

but yeah.. this tut is nice.. and i do think it is useful. im just explaining why Cheezball didnt find any tut on netstat here in AO..